Euler Finance Hack Postmortem Reveals 8-Month-Old Vulnerability

Table of Contents

• An Eight-Month-Old Vulnerability 
• How The Vulnerability Was Exploited 
• Euler Finance Working With Security Groups 

A postmortem of Euler Finance’s flash loan exploit has revealed that the vulnerability at the root of the exploit remained on-chain for 8 months. 

As a result of the vulnerability, Euler Finance lost $200 million earlier this week. 

An Eight-Month-Old Vulnerability 

Euler Finance’s auditing partner, Omniscia, has released a detailed postmortem report analyzing the vulnerability that hackers exploited earlier in the week. According to the postmortem report, the vulnerability occurred from the decentralized finance protocol’s incorrect donation mechanism, which permitted for donations to be performed without a proper health check. The code was introduced in eIP-14, a protocol that introduced an array of changes in the Euler Finance ecosystem. 

Euler Finance allows users to create artificial leverage by minting and depositing assets in the same transaction. This mechanism enabled users to mint more tokens than the collateral held by Euler Finance itself. The new mechanism allowed users to donate their balance to the reserve balance of the token they transacted with. However, it failed to perform any type of health check on the account performing the donation. 

How The Vulnerability Was Exploited 

The donation would have caused the user’s debt (DToken) to remain unchanged. However, their equity (EToken) balance would see a decrease. At this point, a liquidation of the user’s account would lead to a portion of the Dtokens remaining, leading to the creation of bad debt. This flaw allowed the attacker to create an over-leveraged position and then liquidate it themselves in the same block by artificially causing it to go “under water.”

When the hacker liquidates themselves, a percentage-based discount is applied, causing the liquidator to incur a significant portion of EToken units at a discount and guarantee that they would be “above water,” incurring the debt that would match the collateral acquired. This would result in a violator with bad debt (DTokens) and a liquidator that has an over-collateralization of their debt. 

Omniscia stated that the feature that lay at the heart of the vulnerability was not in the scope of any audits conducted by the firm. According to the analysis, a third-party audit was responsible for the review of the code in question, which was then approved. The donateToReserves function was audited in July 2022 by the Sherlock Team. Euler and Sherlock also confirmed that the former had an active coverage policy with Sherlock when the exploit occurred. 

Euler Finance Working With Security Groups 

Following the exploit, Euler Finance stated that the protocol was working with other security groups to perform further audits. Additionally, it stated that it had also contacted law enforcement officials and agencies in an effort to recover the stolen funds. 

“We are devastated by the effect of this attack on Euler protocol users and will continue to work with our security partners, law enforcement, and the broader community to resolve this as best we can. Thank you so much for your support and encouragement.”

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.